cbcvebase.
CVE-2017-17970
published 2018-01-12

CVE-2017-17970: Multiple SQL injection vulnerabilities in Muviko 1.1 allow remote attackers to execute arbitrary SQL commands via the (1) email parameter to login.php; the (2)…

PriorityP266critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
5.41%
91.7th percentile
Multiple SQL injection vulnerabilities in Muviko 1.1 allow remote attackers to execute arbitrary SQL commands via the (1) email parameter to login.php; the (2) season_id parameter to themes/flixer/ajax/load_season.php; the (3) movie_id parameter to themes/flixer/ajax/get_rating.php; the (4) rating or (5) movie_id parameter to themes/flixer/ajax/update_rating.php; or the (6) id parameter to themes/flixer/ajax/set_player_source.php.

Affected

1 ranges
VendorProductVersion rangeFixed in
muvikoscriptmuviko

Detection & IOCsextracted from sources · hover to see the quote

path/login.php
path/themes/flixer/ajax/load_season.php
path/themes/flixer/ajax/get_rating.php
path/themes/flixer/ajax/update_rating.php
path/themes/flixer/ajax/set_player_source.php
command[email protected]'%2b(select*from(select(sleep(20)))a)%2b'&password=admxn&login=
commandseason_id=-19'+union+all+select+1,2,3,4,5,6,7,8,9--+-
commandmovie_id=9'+AND+SLEEP(5)+AND+'AAA'='AAA
  • Detect time-based blind SQLi against login.php via POST email parameter containing sleep() payload
  • Detect UNION-based SQLi in GET parameter season_id to /themes/flixer/ajax/load_season.php (pattern: negative id value followed by union+all+select)
  • Detect time-based blind SQLi in GET parameter movie_id to /themes/flixer/ajax/get_rating.php using SLEEP()
  • Monitor GET requests to /themes/flixer/ajax/update_rating.php and /themes/flixer/ajax/set_player_source.php for SQL metacharacters in movie_id, rating, and id parameters
  • All exploit requests use X-Requested-With: XMLHttpRequest header — correlate anomalous SQLi patterns on AJAX endpoints with this header
  • ·All vulnerable endpoints are specific to Muviko version 1.1 only; later versions may have different paths or patched parameters
  • ·The PHPSESSID cookie value in the PoC is a test/placeholder value and should not be used as a reliable IOC for attribution; focus on URL path and parameter patterns instead

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.